diff options
author | Greg Kroah-Hartman <gregkh@suse.de> | 2011-02-16 14:24:37 -0800 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@suse.de> | 2011-02-16 14:24:37 -0800 |
commit | d761012436e0fe3dfc3d2bd1042ccf27d6e330ff (patch) | |
tree | 6d8df9058a20608db99937a4bcda47676882b9ea | |
parent | 187df1a643101159115c2ca8cc8e45fb2d236921 (diff) | |
download | longterm-queue-2.6.33-d761012436e0fe3dfc3d2bd1042ccf27d6e330ff.tar.gz |
.33 patches
6 files changed, 350 insertions, 0 deletions
diff --git a/queue-2.6.33/av7110-check-for-negative-array-offset.patch b/queue-2.6.33/av7110-check-for-negative-array-offset.patch new file mode 100644 index 0000000..9868820 --- /dev/null +++ b/queue-2.6.33/av7110-check-for-negative-array-offset.patch @@ -0,0 +1,31 @@ +From cb26a24ee9706473f31d34cc259f4dcf45cd0644 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter <error27@gmail.com> +Date: Fri, 7 Jan 2011 16:41:54 -0300 +Subject: [media] [v3,media] av7110: check for negative array offset + +From: Dan Carpenter <error27@gmail.com> + +commit cb26a24ee9706473f31d34cc259f4dcf45cd0644 upstream. + +info->num comes from the user. It's type int. If the user passes +in a negative value that would cause memory corruption. + +Signed-off-by: Dan Carpenter <error27@gmail.com> +Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + drivers/media/dvb/ttpci/av7110_ca.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/dvb/ttpci/av7110_ca.c ++++ b/drivers/media/dvb/ttpci/av7110_ca.c +@@ -277,7 +277,7 @@ static int dvb_ca_ioctl(struct inode *in + { + ca_slot_info_t *info=(ca_slot_info_t *)parg; + +- if (info->num > 1) ++ if (info->num < 0 || info->num > 1) + return -EINVAL; + av7110->ci_slot[info->num].num = info->num; + av7110->ci_slot[info->num].type = FW_CI_LL_SUPPORT(av7110->arm_app) ? diff --git a/queue-2.6.33/cred-fix-get_task_cred-and-task_state-to-not-resurrect-dead-credentials.patch b/queue-2.6.33/cred-fix-get_task_cred-and-task_state-to-not-resurrect-dead-credentials.patch new file mode 100644 index 0000000..9cb01e5 --- /dev/null +++ b/queue-2.6.33/cred-fix-get_task_cred-and-task_state-to-not-resurrect-dead-credentials.patch @@ -0,0 +1,177 @@ +From de09a9771a5346029f4d11e4ac886be7f9bfdd75 Mon Sep 17 00:00:00 2001 +From: David Howells <dhowells@redhat.com> +Date: Thu, 29 Jul 2010 12:45:49 +0100 +Subject: CRED: Fix get_task_cred() and task_state() to not resurrect dead credentials + +From: David Howells <dhowells@redhat.com> + +commit de09a9771a5346029f4d11e4ac886be7f9bfdd75 upstream. + +It's possible for get_task_cred() as it currently stands to 'corrupt' a set of +credentials by incrementing their usage count after their replacement by the +task being accessed. + +What happens is that get_task_cred() can race with commit_creds(): + + TASK_1 TASK_2 RCU_CLEANER + -->get_task_cred(TASK_2) + rcu_read_lock() + __cred = __task_cred(TASK_2) + -->commit_creds() + old_cred = TASK_2->real_cred + TASK_2->real_cred = ... + put_cred(old_cred) + call_rcu(old_cred) + [__cred->usage == 0] + get_cred(__cred) + [__cred->usage == 1] + rcu_read_unlock() + -->put_cred_rcu() + [__cred->usage == 1] + panic() + +However, since a tasks credentials are generally not changed very often, we can +reasonably make use of a loop involving reading the creds pointer and using +atomic_inc_not_zero() to attempt to increment it if it hasn't already hit zero. + +If successful, we can safely return the credentials in the knowledge that, even +if the task we're accessing has released them, they haven't gone to the RCU +cleanup code. + +We then change task_state() in procfs to use get_task_cred() rather than +calling get_cred() on the result of __task_cred(), as that suffers from the +same problem. + +Without this change, a BUG_ON in __put_cred() or in put_cred_rcu() can be +tripped when it is noticed that the usage count is not zero as it ought to be, +for example: + +kernel BUG at kernel/cred.c:168! +invalid opcode: 0000 [#1] SMP +last sysfs file: /sys/kernel/mm/ksm/run +CPU 0 +Pid: 2436, comm: master Not tainted 2.6.33.3-85.fc13.x86_64 #1 0HR330/OptiPlex +745 +RIP: 0010:[<ffffffff81069881>] [<ffffffff81069881>] __put_cred+0xc/0x45 +RSP: 0018:ffff88019e7e9eb8 EFLAGS: 00010202 +RAX: 0000000000000001 RBX: ffff880161514480 RCX: 00000000ffffffff +RDX: 00000000ffffffff RSI: ffff880140c690c0 RDI: ffff880140c690c0 +RBP: ffff88019e7e9eb8 R08: 00000000000000d0 R09: 0000000000000000 +R10: 0000000000000001 R11: 0000000000000040 R12: ffff880140c690c0 +R13: ffff88019e77aea0 R14: 00007fff336b0a5c R15: 0000000000000001 +FS: 00007f12f50d97c0(0000) GS:ffff880007400000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f8f461bc000 CR3: 00000001b26ce000 CR4: 00000000000006f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 +Process master (pid: 2436, threadinfo ffff88019e7e8000, task ffff88019e77aea0) +Stack: + ffff88019e7e9ec8 ffffffff810698cd ffff88019e7e9ef8 ffffffff81069b45 +<0> ffff880161514180 ffff880161514480 ffff880161514180 0000000000000000 +<0> ffff88019e7e9f28 ffffffff8106aace 0000000000000001 0000000000000246 +Call Trace: + [<ffffffff810698cd>] put_cred+0x13/0x15 + [<ffffffff81069b45>] commit_creds+0x16b/0x175 + [<ffffffff8106aace>] set_current_groups+0x47/0x4e + [<ffffffff8106ac89>] sys_setgroups+0xf6/0x105 + [<ffffffff81009b02>] system_call_fastpath+0x16/0x1b +Code: 48 8d 71 ff e8 7e 4e 15 00 85 c0 78 0b 8b 75 ec 48 89 df e8 ef 4a 15 00 +48 83 c4 18 5b c9 c3 55 8b 07 8b 07 48 89 e5 85 c0 74 04 <0f> 0b eb fe 65 48 8b +04 25 00 cc 00 00 48 3b b8 58 04 00 00 75 +RIP [<ffffffff81069881>] __put_cred+0xc/0x45 + RSP <ffff88019e7e9eb8> +---[ end trace df391256a100ebdd ]--- + +Signed-off-by: David Howells <dhowells@redhat.com> +Acked-by: Jiri Olsa <jolsa@redhat.com> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + fs/proc/array.c | 2 +- + include/linux/cred.h | 21 +-------------------- + kernel/cred.c | 25 +++++++++++++++++++++++++ + 3 files changed, 27 insertions(+), 21 deletions(-) + +--- a/fs/proc/array.c ++++ b/fs/proc/array.c +@@ -177,7 +177,7 @@ static inline void task_state(struct seq + if (tracer) + tpid = task_pid_nr_ns(tracer, ns); + } +- cred = get_cred((struct cred *) __task_cred(p)); ++ cred = get_task_cred(p); + seq_printf(m, + "State:\t%s\n" + "Tgid:\t%d\n" +--- a/include/linux/cred.h ++++ b/include/linux/cred.h +@@ -153,6 +153,7 @@ struct cred { + extern void __put_cred(struct cred *); + extern void exit_creds(struct task_struct *); + extern int copy_creds(struct task_struct *, unsigned long); ++extern const struct cred *get_task_cred(struct task_struct *); + extern struct cred *cred_alloc_blank(void); + extern struct cred *prepare_creds(void); + extern struct cred *prepare_exec_creds(void); +@@ -283,26 +284,6 @@ static inline void put_cred(const struct + ((const struct cred *)(rcu_dereference((task)->real_cred))) + + /** +- * get_task_cred - Get another task's objective credentials +- * @task: The task to query +- * +- * Get the objective credentials of a task, pinning them so that they can't go +- * away. Accessing a task's credentials directly is not permitted. +- * +- * The caller must make sure task doesn't go away, either by holding a ref on +- * task or by holding tasklist_lock to prevent it from being unlinked. +- */ +-#define get_task_cred(task) \ +-({ \ +- struct cred *__cred; \ +- rcu_read_lock(); \ +- __cred = (struct cred *) __task_cred((task)); \ +- get_cred(__cred); \ +- rcu_read_unlock(); \ +- __cred; \ +-}) +- +-/** + * get_current_cred - Get the current task's subjective credentials + * + * Get the subjective credentials of the current task, pinning them so that +--- a/kernel/cred.c ++++ b/kernel/cred.c +@@ -209,6 +209,31 @@ void exit_creds(struct task_struct *tsk) + } + } + ++/** ++ * get_task_cred - Get another task's objective credentials ++ * @task: The task to query ++ * ++ * Get the objective credentials of a task, pinning them so that they can't go ++ * away. Accessing a task's credentials directly is not permitted. ++ * ++ * The caller must also make sure task doesn't get deleted, either by holding a ++ * ref on task or by holding tasklist_lock to prevent it from being unlinked. ++ */ ++const struct cred *get_task_cred(struct task_struct *task) ++{ ++ const struct cred *cred; ++ ++ rcu_read_lock(); ++ ++ do { ++ cred = __task_cred((task)); ++ BUG_ON(!cred); ++ } while (!atomic_inc_not_zero(&((struct cred *)cred)->usage)); ++ ++ rcu_read_unlock(); ++ return cred; ++} ++ + /* + * Allocate blank credentials, such that the credentials can be filled in at a + * later date without risk of ENOMEM. diff --git a/queue-2.6.33/cred-fix-kernel-panic-upon-security_file_alloc-failure.patch b/queue-2.6.33/cred-fix-kernel-panic-upon-security_file_alloc-failure.patch new file mode 100644 index 0000000..496d391 --- /dev/null +++ b/queue-2.6.33/cred-fix-kernel-panic-upon-security_file_alloc-failure.patch @@ -0,0 +1,41 @@ +From 78d2978874e4e10e97dfd4fd79db45bdc0748550 Mon Sep 17 00:00:00 2001 +From: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp> +Date: Fri, 4 Feb 2011 18:13:24 +0000 +Subject: CRED: Fix kernel panic upon security_file_alloc() failure. + +From: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp> + +commit 78d2978874e4e10e97dfd4fd79db45bdc0748550 upstream. + +In get_empty_filp() since 2.6.29, file_free(f) is called with f->f_cred == NULL +when security_file_alloc() returned an error. As a result, kernel will panic() +due to put_cred(NULL) call within RCU callback. + +Fix this bug by assigning f->f_cred before calling security_file_alloc(). + +Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> +Signed-off-by: David Howells <dhowells@redhat.com> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + fs/file_table.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/file_table.c ++++ b/fs/file_table.c +@@ -123,13 +123,13 @@ struct file *get_empty_filp(void) + goto fail; + + percpu_counter_inc(&nr_files); ++ f->f_cred = get_cred(cred); + if (security_file_alloc(f)) + goto fail_sec; + + INIT_LIST_HEAD(&f->f_u.fu_list); + atomic_long_set(&f->f_count, 1); + rwlock_init(&f->f_owner.lock); +- f->f_cred = get_cred(cred); + spin_lock_init(&f->f_lock); + eventpoll_init_file(f); + /* f->f_version: 0 */ diff --git a/queue-2.6.33/series b/queue-2.6.33/series index e3cbd80..12b09d2 100644 --- a/queue-2.6.33/series +++ b/queue-2.6.33/series @@ -339,3 +339,8 @@ mptfusion-fix-incorrect-return-value-in-mptscsih_dev_reset.patch sctp-fix-out-of-bounds-reading-in-sctp_asoc_get_hmac.patch ocfs2_connection_find-returns-pointer-to-bad-structure.patch fix-pktcdvd-ioctl-dev_minor-range-check.patch +x25-decrement-netdev-reference-counts-on-unload.patch +x86-pvclock-zero-last_value-on-resume.patch +av7110-check-for-negative-array-offset.patch +cred-fix-get_task_cred-and-task_state-to-not-resurrect-dead-credentials.patch +cred-fix-kernel-panic-upon-security_file_alloc-failure.patch diff --git a/queue-2.6.33/x25-decrement-netdev-reference-counts-on-unload.patch b/queue-2.6.33/x25-decrement-netdev-reference-counts-on-unload.patch new file mode 100644 index 0000000..1aef67b --- /dev/null +++ b/queue-2.6.33/x25-decrement-netdev-reference-counts-on-unload.patch @@ -0,0 +1,36 @@ +From 171995e5d82dcc92bea37a7d2a2ecc21068a0f19 Mon Sep 17 00:00:00 2001 +From: Apollon Oikonomopoulos <apollon@noc.grnet.gr> +Date: Tue, 7 Dec 2010 09:43:30 +0000 +Subject: x25: decrement netdev reference counts on unload + +From: Apollon Oikonomopoulos <apollon@noc.grnet.gr> + +commit 171995e5d82dcc92bea37a7d2a2ecc21068a0f19 upstream. + +x25 does not decrement the network device reference counts on module unload. +Thus unregistering any pre-existing interface after unloading the x25 module +hangs and results in + + unregister_netdevice: waiting for tap0 to become free. Usage count = 1 + +This patch decrements the reference counts of all interfaces in x25_link_free, +the way it is already done in x25_link_device_down for NETDEV_DOWN events. + +Signed-off-by: Apollon Oikonomopoulos <apollon@noc.grnet.gr> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + net/x25/x25_link.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/x25/x25_link.c ++++ b/net/x25/x25_link.c +@@ -393,6 +393,7 @@ void __exit x25_link_free(void) + list_for_each_safe(entry, tmp, &x25_neigh_list) { + nb = list_entry(entry, struct x25_neigh, node); + __x25_remove_neigh(nb); ++ dev_put(nb->dev); + } + write_unlock_bh(&x25_neigh_list_lock); + } diff --git a/queue-2.6.33/x86-pvclock-zero-last_value-on-resume.patch b/queue-2.6.33/x86-pvclock-zero-last_value-on-resume.patch new file mode 100644 index 0000000..9aa832e --- /dev/null +++ b/queue-2.6.33/x86-pvclock-zero-last_value-on-resume.patch @@ -0,0 +1,60 @@ +From e7a3481c0246c8e45e79c629efd63b168e91fcda Mon Sep 17 00:00:00 2001 +From: Jeremy Fitzhardinge <jeremy.fitzhardinge@citrix.com> +Date: Mon, 25 Oct 2010 16:53:46 -0700 +Subject: x86/pvclock: Zero last_value on resume + +From: Jeremy Fitzhardinge <jeremy.fitzhardinge@citrix.com> + +commit e7a3481c0246c8e45e79c629efd63b168e91fcda upstream. + +If the guest domain has been suspend/resumed or migrated, then the +system clock backing the pvclock clocksource may revert to a smaller +value (ie, can be non-monotonic across the migration/save-restore). + +Make sure we zero last_value in that case so that the domain +continues to see clock updates. + +Signed-off-by: Jeremy Fitzhardinge <jeremy.fitzhardinge@citrix.com> +Signed-off-by: Ingo Molnar <mingo@elte.hu> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + arch/x86/include/asm/pvclock.h | 1 + + arch/x86/kernel/pvclock.c | 5 +++++ + arch/x86/xen/time.c | 2 ++ + 3 files changed, 8 insertions(+) + +--- a/arch/x86/include/asm/pvclock.h ++++ b/arch/x86/include/asm/pvclock.h +@@ -10,5 +10,6 @@ unsigned long pvclock_tsc_khz(struct pvc + void pvclock_read_wallclock(struct pvclock_wall_clock *wall, + struct pvclock_vcpu_time_info *vcpu, + struct timespec *ts); ++void pvclock_resume(void); + + #endif /* _ASM_X86_PVCLOCK_H */ +--- a/arch/x86/kernel/pvclock.c ++++ b/arch/x86/kernel/pvclock.c +@@ -111,6 +111,11 @@ unsigned long pvclock_tsc_khz(struct pvc + + static atomic64_t last_value = ATOMIC64_INIT(0); + ++void pvclock_resume(void) ++{ ++ atomic64_set(&last_value, 0); ++} ++ + cycle_t pvclock_clocksource_read(struct pvclock_vcpu_time_info *src) + { + struct pvclock_shadow_time shadow; +--- a/arch/x86/xen/time.c ++++ b/arch/x86/xen/time.c +@@ -463,6 +463,8 @@ void xen_timer_resume(void) + { + int cpu; + ++ pvclock_resume(); ++ + if (xen_clockevent != &xen_vcpuop_clockevent) + return; + |